HIPAA Privacy Rule Updated to Permit NICS Reports

The Department of Health and Human Services has issued a final rule permitting certain covered entities to disclose specific elements of Protected Health Information (PHI) to the National Instant Criminal Background Check System (NICS), changing the HIPAA Privacy Rule.

At the time of writing, HIPAA prevents healthcare providers from disclosing PHI, except in a very limited number of circumstances, without first having obtained permission from a patient. The rule change, which will become effective 30 days after publication in the federal register, will allow certain information about individuals to be divulged and entered into NICS by some HIPAA-covered entities.

NICS is maintained by the FBI and is used by Federal Firearms Licensees (FFLs) to determine whether an individual is permitted to purchase a firearm. When an FFL starts a NICS background check on an individual, the system will search three separate databases: The Interstate Identification Index (III), The National Crime Information Center (NCIC), and the NICS Index. NCIC and III contain information on individuals who have been convicted of crimes, are wanted by law enforcement bodies, are deported felons, or who are subject to protection orders. The information that will be permitted to be disclosed under the new final rule would be used to update the NICS index.

The final rule covers a very specific subset of HIPAA-covered entities, and will only allow the disclosure of very specific information. The change does not permit healthcare providers or other HIPAA covered entities to divulge any diagnostic or clinical information. The only information that can be divulged is certain demographic information and a limited amount of PHI that is required by NICS for the purpose of identifying an individual as being prohibited from being involved in a firearm transfer.

The rule change will only impact individuals who are currently prevented from shipping, receiving, transporting, or possessing a firearm under current Federal laws. That includes individuals who are deemed to be a danger to others or themselves, or who lack the mental capacity to contract or manage their own affairs. This applies whether this incapacity or incompetency has been caused by a condition, disease, mental illness, or is due to subnormal intelligence.

It will also apply to individuals who have previously been involuntarily committed to a mental institution or deemed to have been incompetent to stand trial, or have been found not guilty of a crime by reason of insanity.

The rule change does not apply to all HIPAA-covered entities, only those who are required to make a decision on adjudications or commitment, or “that serve as repositories of information for NICS reporting purposes.” The only information that can be disclosed is that which allows a judgement to be made that the individual is subject to the Federal mental health prohibitor under the Gun Control Act (1968).

While it is important to protect the privacy of all healthcare patients, certain information is required by government organizations in order to make decisions to better protect the public, hence the need for the final rule change.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.